PPPoE—QinQ Support

First Published: January 16, 2004

Last Updated: November 27, 2009

Encapsulating IEEE 802.1Q VLAN tags within 802.1Q enables service providers to use a single VLAN to support customers who have multiple VLANs. The PPPoE—QinQ Support feature on the subinterface level preserves VLAN IDs and keeps traffic in different customer VLANs segregated.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for PPPoE—QinQ Support" section.

Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn.An account on Cisco.com is not required.

Restrictions for PPPoE—QinQ Support

•Supports only PPP over Ethernet (PPPoE) and IP packets that are double-tagged for IEEE 802.1Q in 802.1Q (QinQ) VLAN tag termination. Specifically, PPPoEoQinQ and IPoQinQ are supported.

•PPPoE over QinQ (PPPoEoQinQ) supports a maximum of 32,000 PPPoE sessions per interface for a maximum of 32,000 PPPoE sessions for the router. Note that the number of supported PPPoE sessions per interface can be limited by the cap of 32,000 sessions of any type that can run on the router.

•PPPoEoQinQ supports 4094 outer VLAN IDs and 4094 inner VLAN IDs if only PPPoE is enabled and IP is not enabled on the subinterface.

•IP over QinQ (IPoQinQ) supports a maximum of 16,000 IPoQinQ subinterfaces per interface.

PPPoE—QinQ Support on Subinterfaces

The PPPoE—QinQ Support feature adds another layer of IEEE 802.1Q tag (called "metro tag" or "PE-VLAN") to the 802.1Q tagged packets that enter the network. The purpose is to expand the VLAN space by tagging the tagged packets, thus producing a "double-tagged" frame. The expanded VLAN space allows the service provider to provide certain services, such as Internet access on specific VLANs for specific customers, and yet still allows the service provider to provide other types of services for their other customers on other VLANs.

Generally the service provider's customers require a range of VLANs to handle multiple applications. Service providers can allow their customers to use this feature to safely assign their own VLAN IDs on sub interfaces because these subintervals VLAN IDs are encapsulated within a service provider-designated VLAN ID for that customer. Therefore there is no overlap of VLAN IDs among customers, nor does traffic from different customers become mixed. The double-tagged frame is "terminated" or assigned on a subintervals with an expanded encapsulation dot1q command that specifies the two VLAN ID tags (outer VLAN ID and inner VLAN ID) terminated on the subintervals. See Figure 1.

The PPPoE—QinQ Support feature is generally supported on whichever Cisco IOS features or protocols are supported on the subinterface. For example, if you can run PPPoE on the subinterface, you can configure a double-tagged frame for PPPoE. IPoQinQ supports IP packets that are double-tagged for QinQ VLAN tag termination by forwarding IP traffic with the double-tagged (also known as stacked) 802.1Q headers.

Note The Cisco 10000 series router supports PPPoEoQinQ in Cisco IOS Release 12.3(7)XI1 and later releases, and IPoQinQ in Cisco IOS Release 12.3(7)XI7 and later releases.

The primary benefit for the service provider is a reduced number of VLANs supported for the same number of customers. Other benefits of this feature are as follows:

•PPPoE scalability. Expanding the available VLAN space from 4096 to about 16.8 million (4096 times 4096) allows the number of PPPoE sessions that can be terminated on a given interface to be multiplied.

Note The Cisco 10000 series router supports up to 32,000 PPPoE sessions per interface for a maximum of 61,500 PPPoE sessions for the router. These sessions may be over PPPoEoQinQ ambiguous or unambiguous subinterfaces.

•When deploying Gigabyte Ethernet DSL Access Multiplexer (DSLAM) in a wholesale model, you can assign the inner VLAN ID to represent the end-customer virtual circuit (VC) and assign the outer VLAN ID to represent the service provider ID.

The QinQ VLAN tag termination feature is simpler than the IEEE 802.1Q tunneling feature deployed for the Catalyst 6500 series switches or the Catalyst 3550 and Catalyst 3750 switches. Whereas switches require IEEE 802.1Q tunnels on interfaces to carry double-tagged traffic, routers need only encapsulate QinQ VLAN tags within another level of 802.1Q tags in order for the packets to arrive at the correct destination.

Figure 1 Untagged, 802.1Q-Tagged, and Double-Tagged Ethernet Frames

Cisco 10000 Series Router Application

For the emerging broadband Ethernet-based DSLAM market, the Cisco 10000 series router supports QinQ encapsulation. With the Ethernet-based DSLAM model shown in Figure 2, customers typically get their own VLAN; all these VLANs are aggregated on a DSLAM.

Figure 2

Broadband Ethernet-based DSLAM Model of QinQ VLANs

VLAN aggregation on a DSLAM will result in many aggregate VLANs that at some point need to be terminated on the broadband remote access servers (BRAS). Although the model could connect the DSLAMs directly to the BRAS, a more common model uses the existing Ethernet-switched network where each DSLAM VLAN ID is tagged with a second tag (QinQ) as it connects into the Ethernet-switched network.

The Cisco 10000 series router supports PPPoEoQinQ in Cisco IOS Release 12.3(7)XI1 and later, and IP over QinQ (IPoQinQ) in Cisco IOS Release 12.3(7)XI7 and later releases. Both PPPoE sessions and IP can be enabled on a sub interface. For information on supported PPPoE sessions, number of supported inner and outer VLAN IDs, and general restrictions on the Cisco 10000 series router, see the "Restrictions for PPPoE—QinQ Support" section.

The PPPoEoQinQ model is a PPP-terminated session.

PPPoEQinQ and IPoQinQ encapsulation processing is an extension to 802.1Q encapsulation processing. A QinQ frame looks like a VLAN 802.1Q frame; the only difference is that it has two 802.1Q tags instead of one. See Figure 1.

Security ACL Application on the Cisco 10000 Series Router

The PPPoE—QinQ Support feature provides limited security ACL support for PPPoEoQinQ subinterfaces for the Cisco 10000 series router. There are no ACL restrictions on subinterfaces configured with IPoQinQ.

If you apply an ACL to PPPoE traffic on a QinQ subinterface in a VLAN, apply the ACL directly on the PPPoE session, using virtual access interfaces (VAIs) or RADIUS attribute 11 or 242.

You can apply ACLs to VAIs by configuring them under virtual template interfaces. You can also configure ACLs by using RADIUS attribute 11 or 242. When you use attribute 242, a maximum of 30,000 sessions can have ACLs.

ACLs that are applied to the VLAN QinQ subinterface have no effect and are silently ignored. In the following example, ACL 1 that is applied to the VLAN QinQ subinterface level will be ignored:

Router(config)# interface FastEthernet3/0/0.100

Router(config-subif)# encapsulation dot1q 100 second-dot1q 200

Router(config-subif)# ip access-group 1

Unambiguous and Ambiguous Subinterfaces

Note Only PPPoE is supported on ambiguous subinterfaces. Standard IP routing is not supported on ambiguous subinterfaces.

The encapsulation dot1q command is used to configure QinQ termination on a subinterface. The command accepts an outer VLAN ID and one or more inner VLAN IDs. The outer VLAN ID always has a specific value, and the inner VLAN ID can either be a specific value or a range of values.

A subinterface that is configured with a single inner VLAN ID is called an unambiguous QinQ subinterface. In the following example, QinQ traffic with an outer VLAN ID of 101 and an inner VLAN ID of 1001 is mapped to the Gigabit Ethernet 1/0.100 subinterface:

Router(config)# interface gigabitEthernet1/0.100

Router(config-subif)# encapsulation dot1q 101 second-dot1q 1001

A subinterface that is configured with multiple inner VLAN IDs is called an ambiguous QinQ subinterface. By allowing multiple inner VLAN IDs to be grouped, ambiguous QinQ subinterfaces allow for a smaller configuration, improved memory usage, and better scalability.

In the following example, QinQ traffic with an outer VLAN ID of 101 and inner VLAN IDs anywhere in the 2001-2100 and 3001-3100 range is mapped to the Gigabit Ethernet 1/0.101 subinterface:

Note The any keyword in the second-dot1q keyword is not supported on a subinterface configured for IPoQinQ because IP routing is not supported on ambiguous subinterfaces. Therefore, multiple values and ranges for the inner VLAN ID are not supported on IPoQinQ.

Note On the Cisco 10000 series router, MQC is supported only on unambiguous subinterfaces.

How to Configure PPPoE—QinQ Support

Configuring the Interfaces for PPPoE—QinQ Support

Perform this task to configure the main interface used for the QinQ double tagging and to configure the subinterfaces. An optional step in this task shows you how to configure the Ethertype field to be 0x9100 for the outer VLAN tag, if that is required. After the subinterface is defined, the 802.1Q encapsulation is configured to use the double tagging.

Configuration Examples for PPPoE—QinQ Support

Configuring the any Keyword on Subinterfaces for PPPoE—QinQ Support: Example

Some ambiguous subinterfaces can use the any keyword for the inner VLAN ID specification. The any keyword represents any inner VLAN ID that is not explicitly configured on any other interface. In the following example, seven subinterfaces are configured with various outer and inner VLAN IDs.

Note The any keyword can be configured on only one subinterface of a specified physical interface and outer VLAN ID.

Note The any keyword in the second-dot1q keyword is not supported on a subinterface configured for IPoQinQ because IP routing is not supported on ambiguous subinterfaces. Therefore, multiple values and ranges for the inner VLAN ID are not supported on IPoQinQ.

interface GigabitEthernet1/0/0.1

encapsulation dot1q 100 second-dot1q 100

interface GigabitEthernet1/0/0.2

encapsulation dot1q 100 second-dot1q 200

interface GigabitEthernet1/0/0.3

encapsulation dot1q 100 second-dot1q 300-400,500-600

interface GigabitEthernet1/0/0.4

encapsulation dot1q 100 second-dot1q any

interface GigabitEthernet1/0/0.5

encapsulation dot1q 200 second-dot1q 50

interface GigabitEthernet1/0/0.6

encapsulation dot1q 200 second-dot1q 1000-2000,3000-4000

interface GigabitEthernet1/0/0.7

encapsulation dot1q 200 second-dot1q any

Table 1 shows which sub interfaces are mapped to different values of the outer and inner VLAN IDs on QinQ frames that come in on Gigabit Ethernet (GE) interface 1/0/0.

RFCs

No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.

—

Technical Assistance

Description

Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

Feature Information for PPPoE—QinQ Support

Table 3 lists the features in this module and provides links to specific configuration information.

Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Note Table 3 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.

Encapsulating IEEE 802.1Q VLAN tags within 802.1Q enables service providers to use a single VLAN to support customers who have multiple VLANs. The PPPoE—QinQ Support feature on the subinterface level preserves VLAN IDs and keeps traffic in different customer VLANs segregated.

In 12.3(7)T, this feature was introduced.

In 12.3(7)XI1, support for PPPoEoQinQ, PPPoE packets that are double-tagged for QinQ VLAN tag termination, was implemented on the Cisco 10000 series routers.

In 12.3(7)XI7, support for IPoQinQ, IP packets that are double-tagged for QinQ VLAN tag termination, was added on the Cisco 10000 series routers.

In 12.2(28)SB2, support for PPPoEoQinQ, PPPoE packets that are double-tagged for QinQ VLAN tag termination, was implemented on the Cisco 10000 series routers.

In 12.2(31)SB2, support for IPoQinQ was added on the Cisco 7200 and Cisco 10000 series routers.

In 12.2(33)SRC, support for PPPoEoQinQ was added on the Cisco 7600 series routers.

In 12.2(33)SB, support for PPPoEoQinQ was implemented on the Cisco 10000 series routers.

In 12.4T, this feature was supported.

The following commands were introduced or modified: dot1q tunneling ethertype, encapsulation dot1q, show vlans dot1q

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0910R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.